I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.
From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.
After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.
Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.
I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.
So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.
After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?
And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.